import old docs from alberti

This section is all old documentation imported from alberti.

[[!map pages="tsa/old/*"]]

on serra:

in /etc/backuppc:

- edit hosts, add the host in question

- create a file called $host.pl,

  . include the common file,

  . list shares to be backed up

  (use an existing file as template)

sudo apt-get update &&

sudo apt-get install tor-nagios-checks &&

sudo sed -i -e 's/^#DAEMON/DAEMON/' /etc/default/nagios-nrpe-server &&

sudo env -i /etc/init.d/nagios-nrpe-server restart &&

if [ -e '/etc/firehol/firehol.conf' ] ; then

        echo 'You might want to add these to /etc/firehol/firehol.conf:'

        echo

        cat << EOF

server custom monit tcp/4949 default accept src 38.229.70.32

server custom nrpe tcp/5666 default accept src 38.229.70.32

server ntp accept src 38.229.70.32

server icmp accept src 38.229.70.32

EOF

fi

#!/bin/bash

# RUN ON moly

#############

set -e

set -u

VG=vg0

SUITE=wheezy

MIRROR=http://ftp.us.debian.org/debian

#SPONSOR="xx"

check_installed() {

    local p

    for p in "$@"; do

        if ! dpkg -l "$p" 2>/dev/null | grep -q '^ii'; then

            echo >&2 "Error: package $p not installed:"

            echo >&2 "  apt-get install $*"

            exit 1

        fi

    done

}

get_sshkey_fprs() {

    local f

    for f in etc/ssh/ssh_host*_key.pub; do

        echo -n "  "

        ssh-keygen -l -f "$f"

    done

}

cleanup() {

    set +x

    if [ -n "$disk" ]; then

        echo "Maybe:"

        echo "lvremove $disk"

    fi

    echo

    if [ -n "${target:-}" ] && [ -e "$target" ]; then

        cd /

        if [ "$(stat -f / -c %i)" != "$(stat -f "$target" -c %i)" ]; then

            umount "$target"

        fi

        rmdir "$target"

    fi

    if [ -n "${part1:-}" ]; then

        kpartx -d -p -p -v "$disk"

    fi

}

check_installed debootstrap debian-archive-keyring kpartx ipv6calc

echo -n "New VM's name: "

if [ -n "${1:-}" ]; then echo "$1"; guest="$1"; shift; else read guest; fi

echo

echo -n "Disk size: [8g]"

if [ -n "${1:-}" ]; then echo "$1"; disksize="$1"; shift; else read disksize; fi

disksize=${disksize:-8g}

trap cleanup EXIT

LV="$guest"

lvcreate -L "$disksize" -n "$LV" "$VG"

disk="/dev/mapper/$VG-$(echo $guest | sed -e 's/-/--/')"

target="/mnt/target-$guest"

if ! [ -e "$disk" ]; then

    echo >&2 "Error: Disk $disk does not exist."

    exit 1

fi

if [ -e "$target" ]; then

    echo >&2 "Error: Directory $target already exists."

    exit 1

fi

if [ "$(head -c 65536 "$disk" | sha1sum | awk '{print $1}')" != "1adc95bebe9eea8c112d40cd04ab7a8d75c4f961" ]; then

    echo -n "Warning: Disk appears to be not be empty.  Continue anyway? [y/N] "

    read ans

    [ "$ans" = "y" ] || exit 0

fi

echo -n "ipaddr: "

if [ -n "${1:-}" ]; then echo "$1"; ipaddr="$1"; shift; else read ipaddr; fi

netmask=255.255.255.192

gateway=38.229.72.1

ip6addr=2620:0:6b0:b:1a1a::${ipaddr}

ip6gateway=2620:0:6b0:b::1

set -x

if [ -e "$disk-part1" ]; then

    # we already had a partition table and udev/kpartx got it at boot time

    kpartx -v -d -p -part $disk

fi

echo '2048,,L,*' | sfdisk -u S --Linux "$disk"

kpartx -v -p -p -a "$disk"

part1="${disk}-p1"

mkfs.ext4 "$part1"

mkdir "$target"

mount "$part1" "$target"

cd "$target"

debootstrap --variant=minbase --keyring=/usr/share/keyrings/debian-archive-keyring.gpg "$SUITE" . "$MIRROR"

### Set up swap and fstab

dd if=/dev/zero of=swapfile bs=1024k count=512

chmod 0 swapfile

mkswap ./swapfile

uuidroot=$(blkid -s UUID -o value ${part1}) &&

cat > etc/fstab << EOF

UUID=$uuidroot    /               ext4   errors=remount-ro 0       1

/swapfile none swap sw 0 0

EOF

echo 'RAMTMP=yes' >> etc/default/tmpfs

### Set up basic networking stuff

echo "$guest" > etc/hostname

cat > etc/hosts << EOF

127.0.0.1       localhost

# The following lines are desirable for IPv6 capable hosts

::1     localhost ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

ff02::3 ip6-allhosts

EOF

rm -fv etc/udev/rules.d/70-persistent-*

mkdir -p etc/udev/rules.d/

touch etc/udev/rules.d/75-persistent-net-generator.rules

cat > etc/network/interfaces << EOF

auto lo

iface lo inet loopback

auto eth0

iface eth0 inet static

    address $ipaddr

    netmask $netmask

    up   ip route add $gateway/32 dev \$IFACE

    up   ip route add default via $gateway dev \$IFACE

    down ip route del default via $gateway dev \$IFACE

    down ip route del $gateway/32 dev \$IFACE

iface eth0 inet6 static

    address $ip6addr

    gateway $ip6gateway

    netmask 64

    accept_ra 0

EOF

cat > etc/resolv.conf << EOF

nameserver 8.8.8.8

search torproject.org

EOF

### A couple packages

mv etc/apt/sources.list etc/apt/sources.list.d/debian.list

chroot . apt-get update

echo "Apt::Install-Recommends 0;" > etc/apt/apt.conf.d/local-recommends

chroot . apt-get install -y locales-all net-tools iproute ifupdown dialog vim netbase udev psmisc usbutils pciutils

### Set up kernel and bootloader

chroot . apt-get install -y linux-image-amd64

DEBIAN_FRONTEND=noninteractive chroot . apt-get install -y grub2

! [ -e dev/vda ]

! [ -e dev/vda1 ]

cp -av `readlink -f "$disk"` dev/new-root

cp -av `readlink -f "$part1"` dev/new-root1

chroot . grub-install --modules=part_msdos /dev/new-root

rm -v dev/new-root*

cp -av `readlink -f "$disk"` dev/vda

cp -av `readlink -f "$part1"` dev/vda1

rm boot/grub/device.map

chroot . update-grub

rm -v dev/vda*

rootpw="$(head -c 12 /dev/urandom | base64)"

echo "root:$rootpw" | chroot . chpasswd

### install ssh

chroot . apt-get install -y ssh

sed -i -e "s/`hostname`\$/$guest/" etc/ssh/ssh_host*_key.pub

sshkeys="$(get_sshkey_fprs)"

rsahostkey="$(cat etc/ssh/ssh_host_rsa_key.pub)"

### clean up

trap - EXIT

cleanup

echo "$guest's root password is $rootpw"

echo "SSH host key fingerprints are:"

echo "$sshkeys"

echo "IP addresses:"

echo "  $ipaddr"

echo "  $ip6addr"

echo

echo "ud-ldap ldpavi snippet:"

cat << EOF

add host=$guest,ou=hosts,dc=torproject,dc=org

host: $guest

hostname: $guest.torproject.org

objectClass: top

objectClass: debianServer

l: Germany

distribution: Debian GNU/Linux

access: restricted

admin: torproject-admin@torproject.org

architecture: amd64

sshRSAHostKey: $rsahostkey

ipHostNumber: $ipaddr

ipHostNumber: `ipv6calc --in ipv6addr --out ipv6addr $ip6addr`

mXRecord: 0 INCOMING-MX

physicalHost: `hostname -f`

description: XXX

purpose: XXX

EOF

#sponsor: $SPONSOR

echo "Maybe run this now: "

echo " cd /etc/tor-virt && git pull && virsh define `hostname`/$guest.xml && virsh autostart $guest"

echo "And then:"

echo " virsh start $guest"

(all commands to be run as root unless otherwise noted)

* set a hostname - pick an unused one from https://svn.torproject.org/svn/projects/misc-sysadmin/onion-names.txt

* sane base setup

    cat /dev/null > /etc/default/locale

    # cat /etc/resolv.conf   # and ensure it has domain torproject.org in it.

    grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >>  /etc/resolv.conf

    cat /etc/hosts

* add to ldap on alberti

    for i in /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_ed25519_key.pub; do

      echo "sshRSAHostKey: `cat $i`"; done

* then:

  : on alberti : && sudo -u sshdist ud-generate && sudo -H ud-replicate

  : on nevii : && sudo -H ud-replicate

* set up puppet:

  : on pauli : &&

        ( puppet agent -t --environment=production || true ) &&

        ud-replicate &&

        sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install

  : on new machine : &&

        me=$(hostname -f) &&

        [ "$me" != "${me%torproject.org}" ] &&

        apt-get update &&

        apt-get install -y --no-install-recommends puppet lsb-release &&

        service puppet stop &&

        systemctl mask puppet.service &&

        (puppet agent -t || true ) &&

        cd /var/lib/puppet/ssl/certificate_requests &&

        echo sha256sum output: &&

        echo &&

        sha256sum $me.pem &&

        echo &&

        echo &&

        cd /

  : on pauli: &&

        echo "paste sha256sum output now:" &&

        read sha256 filename &&

        cd /var/lib/puppet/ssl/ca/requests &&

        ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) &&

        echo -e "$sha256  $filename" | sha256sum -c &&

        puppet ca sign $(basename "$filename" .pem) &&

        echo &&

        echo &&

        echo &&

        echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&

        cat /var/lib/puppet/ssl/certs/ca.pem &&

        echo 'EOF' &&

        echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " &&

        cat /var/lib/puppet/ssl/ca/signed/$filename &&

        echo 'EOF' &&

        echo 'puppet agent --enable' &&

        echo 'puppet agent -t --pluginsync' &&

        echo 'puppet agent -t --pluginsync' &&

        cd /

* copy paste the thing you just created on pauli into a root shell on the new host

* fix nsswitch for ud fu.  (you might have to restart sshd here)

    sed -i -e 's/^passwd:[[:space:]]\+compat$/passwd:         compat db/;

              s/^group:[[:space:]]\+compat$/group:          db compat/;

              s/^shadow:[[:space:]]\+compat$/shadow:         compat db/' \

        /etc/nsswitch.conf

    (cd / && service ssh restart)

* do more puppet runs

  puppet agent -t

  puppet agent -t

* get rid of unneeded network services:

  dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light

  userdel -r Debian-exim

* fix etc/aliases

   ( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&

    sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases

* set new root password, and document it

* run puppet a couple times 'til it converges:

  puppet agent -t ; puppet agent -t ; puppet agent -t ; puppet agent -t ;

* add more software

  apt-get install fail2ban

* swap and tmp

    grep tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab

  ! grep swap /etc/fstab &&

  dd if=/dev/zero bs=1024k count=1024 of=/swapfile &&

  chmod 0 /swapfile &&

  mkswap /swapfile &&

  echo '/swapfile none swap sw 0 0' >> /etc/fstab &&

  swapon -a

* add to nagios